AQL-System

System using the Analysis Query Language

AQL

The Android App Analysis Query Language (AQL) consists of two main parts, namely AQL-Queries and AQL-Answers.
AQL-Queries enable us to ask for Android specific analysis subjects in a general, tool independent way.
The grammar defining AQL-Queries can be found here.

Example 1: AQL-Queries

The following exemplary query can be used to get all Flows (e.g. taint flows) inside one app:

Flows IN App(’/path/to/example.apk’) ?

it is also possible to ask more specifically (or to filter the result):

It shows a taint flow from a getDeviceId() statement to a sendTextMessage(...) statement.

AQL-System

The associated AQL-System takes AQL-Queries as input and outputs AQL-Answers.
To do so, it requires a configuration in form of an .xml file that describes

which tools are avaliable in a certain instance of the AQL-System and how to execute these,

which queries can be answered by which tool and

how to convert a tool’s result into an AQLAnswer.

Example 3

For instance, an AQL-System can be configured to execute FlowDroid in case of intra-app flow questions and IccTA in case of inter-app questions, since FlowDroid does not support such questions.
Considering the example from above the AQL-System recognizes that FlowDroid is available and able to answer the query regarding flows inside one app only.
Consequently, FlowDroid is launched and its result is converted into an AQL-Answer.

Build is stored inside the project’s directory: projectDirectory/target/build(projectDirectory refers to your local project directory and consequently has to be replaced by the actual directory and its path)